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Despite enormous theoretical and experimental progress in quantum cryptography, the 
security of most current implementations of quantum key distribution is still not rigorously 
established. One significant problem is that the security of the final key strongly depends on 
the number, M, of signals exchanged between the legitimate parties — yet existing security 
proofs are often only valid asymptotically, for unrealistically large values of M. Another 
challenge is that most security proofs are very sensitive to small differences between the 
physical devices used by the protocol and the theoretical model used to describe them. Here, 
we show that these gaps between theory and experiment can be simultaneously overcome 
by using a recently developed proof technique based on the uncertainty relation for smooth 
entropies. 

Quantum Key Distribution (QKD), invented by Bennett and Brassard [1] and by Ekert [2], can 
be considered the first application of quantum information science, and commercial products have 
already become available. Accordingly, QKD has been an object of intensive study over the past 
few years. On the theory side, the security of several variants of QKD protocols against general 
attacks has been proved [3-8]. At the same time, experimental techniques have reached a state of 
development that enables key distribution at MHz rates over distances of 100 km [9-11]. 

Despite these developments, there is still a large gap between theory and practice, in the sense 
that the security claims are based on assumptions that are not (or cannot be) met by experimental 
implementations. For example, the proofs often rely on theoretical models of the devices (such 
as photon sources and detectors) that do not take into account experimentally unavoidable im- 
perfections (see [12] for a discussion). In this work, we consider prepare- and-measure quantum 
key distribution protocols, like the original Bennett-Brassard 1984 (BB84) protocol [1]. Here, one 
party prepares quantum systems (e.g. the polarization degrees of freedom of photons) and sends 
them through an insecure quantum channel to another party who then measures the systems. In 
order to analyze the security of such protocols, the physical devices used by both parties to prepare 
and measure quantum systems are replaced by theoretical device models. The goal, from a theory 
perspective, is to make these theoretical models as general as possible so that they can accom- 
modate imperfect physical devices independently of their actual implementation. (This approach, 
in the context of entanglement-based protocols, also led to the development of device-independent 
quantum cryptography — see [13, 14] for recent results.) 

Another weakness of many security proofs is the asymptotic resource assumption, i.e., the as- 
sumption that an arbitrarily large number M of signals can be exchanged between the legitimate 
parties and used for the computation of the final key. This assumption is quite common in the lit- 
erature, and security proofs are usually only valid asymptotically as M tends to infinity. However, 
the asymptotic resource assumption cannot be met by practical realizations — in fact, the key is 
often computed from a relatively small number of signals (M <C 10^). This problem has recently 
received increased attention and explicit bounds on the number of signals required to guarantee 
security have been derived [15-21]. 

In this work, we apply a novel proof technique [22] that allows us to overcome the above diffi- 
culties. In particular, we derive almost tight bounds on the minimum value M required to achieve 
a given level of security. The technique is based on an entropic formulation of the uncertainty re- 
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lation [23] or, more precisely, its generalization to smooth entropies [22]. Compared to preexisting 
methods, our technique is rather direct. It therefore avoids various estimates, including the de 
Finetti Theorem [24] and the Post-Selection technique [25], that have previously led to too pes- 
simistic bounds. Roughly speaking, our result is a lower bound on the achievable key rate which 
deviates from the asymptotic result (where M is infinitely large) only by terms that are caused 
by (probably unavoidable) statistical fluctuations in the parameter estimation step. Moreover, we 
believe that the theoretical device model used for our security analysis is as general as possible for 
protocols of the prepare-and-measure type. 

RESULTS 
Security Definitions 

We follow the discussion of composable security [26] and first take an abstract view on QKD 
protocols. A QKD protocol describes the interaction between two players, Alice and Bob. Both 
players can generate fresh randomness and have access to an insecure quantum channel as well 
as an authenticated (but otherwise insecure) classical channel. (Note that, using an authentica- 
tion protocol, any insecure channel can be turned into an authentic channel. The authentication 
protocol will however use some key material, as discussed in [27].) 

The QKD protocol outputs a key, S, on Alice's side and an estimate of that key, S, on Bob's 
side. This key is usually an i-hit string, where I, depends on the noise level of the channel, as 
well as the security and correctness requirements on the protocol. The protocol may also abort, in 
which case we set S = S =_L. 

In the following, we define what it means for a QKD protocol to be secure. Roughly speaking, 
the protocol has to (approximately) satisfy two criteria, called correctness and secrecy. These 
criteria are conditions on the probability distribution of the protocol output, S and S, as well as 
the information leaked to an adversary, E. These depend, in general, on the attack strategy of the 
adversary, who is assumed to have full control over the quantum channel connecting Alice and 
Bob, and has access to all messages sent over the authenticated classical channel. 

A QKD protocol is called correct if, for any strategy of the adversary, S = S. It is called ecor- 
correct if it is £cor"ii^distinguishable from a correct protocol. In particular, a protocol is Ccor" 

correct 

if Pr[S / S] < eeor. 

In order to define the secrecy of a key, we consider the quantum state psE that describes the 
correlation between Alice's classical key S and the eavesdropper, E (for any given attack strategy). 
A key is called A-secret from E if it is A-close to a uniformly distributed key that is uncorrelated 
with the eavesdropper, i.e. if 

^||/OSE - (g) /9e||i < A , (1) 

where ojs denotes the fully mixed state on S and is the marginal state on the system E. For a 
motivation and discussion of this particular secrecy criterion (in particular the choice of the norm) 
we refer to [28]. 

A QKD protocol is called secret if, for any attack strategy, A = whenever the protocol outputs 
a key. It is called Cgec-secret if it is egec-indistinguishable from a secret protocol. In particular, a 
protocol is esec-secret if it outputs A-secure keys with (1 — Pabort)A < esec, where Pabort is the 
probability that the protocol aborts. (To see that this suffices to ensure esec-indistinguishability, 
note that the secrecy condition is trivially fulfilled if the protocol aborts.) 

In some applications it is reasonable to consider correctness and secrecy of protocols separately, 
since there may be different requirements on the correctness of the key (i.e., that Bob's key agrees 
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with Alice's, implying that messages encrypted by Alice are correctly decrypted by Bob) and 
secrecy. In fact, in many realistic applications, an incorrect decoding of the transmitted data 
would be detected so that the data can be resent. For such applications, Ccor may be chosen larger 
than esec- 

However, secrecy of the protocol alone as defined above does not ensure that Bob's key is secret 
from the eavesdropper as well. One is thus often only interested in the overall security of the 
protocol (which automatically implies secrecy of Bob's key). 

A QKD protocol is called secure if it is correct and secret. It is called e-secure if it is e- 
indistinguishable from a secure protocol. In particular, a protocol is e-secure if it is ecor-correct 
and esec-secret with ecor + Csec < £• 

Finally, the robustness, erobj is the probability that the protocol aborts even though the eaves- 
dropper is inactive. (More precisely, one assumes a certain channel model which corresponds to 
the characteristics of the channel in the absence of an adversary. For protocols based on qubits, 
the standard channel model used in the literature is the depolarizing channel. We also chose this 
channel model for our analysis in the discussion section, thus enabling a comparison to the existing 
results.) Note that a trivial protocol that always aborts is secure according to the above definitions, 
and a robustness requirement is therefore necessary. In this work, we include the robustness erob 
in our estimate for the expected key rate (when the eavesdropper is inactive) and then optimize 
over the protocol parameters to maximize this rate. 

Device Model 

Recall that Alice and Bob are connected by an insecure quantum channel. On one side of 
this channel, Alice controls a device allowing her to prepare quantum states in two bases, X and 
Z. In an optimal scenario, the prepared states are qubits and the two bases are diagonal, e.g. 
X = {|0), |1)} and Z = {|+), |-)} with |±) := (|0) ± |l))/\/2. More generally, we characterize the 
quality of a source by its preparation quality^ q. The preparation quality — as we will see in the 
following — is the only device parameter relevant for our security analysis. It achieves its maximum 
of g = 1 if the prepared states are qubits and the bases are diagonal, as in the example above. 
In the following, we discuss two possible deviations from a perfect source and how they can be 
characterized in terms of q. 

Firstly, if the prepared states are guaranteed to be qubits, we characterize the quality of Alice's 
device by the maximum fidelity it allows between states prepared in the X basis and states prepared 
in the Z basis. Namely, we have q = — log max | p, where the maximization is over all states 

il^x and ij^z prepared in the X and Z basis, respectively. (In this work, log denotes the binary 
logarithm.) The maximum g = 1 is achieved if the basis states are prepared in diagonal bases, as 
is the case in the BB84 protocol. 

In typical optical schemes, qubits are realized by polarization states of single photons. An ideal 
implementation therefore requires a single-photon source in Alice's laboratory. In order to take 
into account sources that emit weak coherent light pulses instead, the analysis presented in this 
paper can be extended using photon tagging [29] and decoy states [30]. This approach — although 
beyond the scope of the present article — can be incorporated into our finite-key analysis. (See 
also [31-33] for recent results on the finite- key analysis of such protocols.) 

Secondly, consider a source that prepares states in the following way: The source produces two 
entangled particles and then sends out one of them while the other is measured in one of two 
bases. The choice of basis for the measurement decides whether the states are prepared in the X 
or Z basis. Together with the measurement outcome, which is required to be uniformly random 
for use in our protocol, this determines which of the four states is prepared. For such a source. 
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the preparation quality is given hy q = — log max || V Mxy/N^W ^ , where {M^} and {Nz}z are the 
elements of the positive operator valued measurements (POVMs) that are used to prepare the 
state in the X and the Z basis, respectively. If the produced state is that of two fully entangled 
qubits and the measurements are projective measurements in diagonal bases, we recover BB84 and 
q = I [34] . Sources of this type have recently received increased attention since they can be used 
as heralded single photon sources [35, 36] and have applications in (device independent) quantum 
cryptography [37-39]. 

On the other side of the channel, Bob controls a device allowing him to measure quantum 
systems in two bases corresponding to X and Z. We will derive security bounds that are valid 
independently of the actual implementation of this device as long as the following condition is 
satisfied: we require that the probability that a signal is detected in Bob's device is independent 
of the basis choices (X or Z) by Alice and Bob. Note that this assumption is necessary. In fact, 
if it is not satisfied (which is the case for some implementations) a loophole arises that can be 
used to eavesdrop on the key without being detected [40]. (Remarkably, this assumption can be 
enforced device-independently: Bob simply substitutes a random bit whenever his device fails to 
detect Alice's signal. If this is done, however, the expected error rate may increase significantly.) 

Finally, we assume that it is theoretically possible to devise an apparatus for Bob which delays 
all the measurements in the X-basis until after parameter estimation, but produces the exact same 
measurement statistics as the actual device he uses. This assumption is satisfied if Bob's actual 
measurement device is memoryless. (To see this, note that we could (in theorey) equip such a device 
with perfect quantum memory that stores the received state until after the parameter estimation 
has been done.) The assumption is already satisfied if the measurement statistics are unaffected 
when the memory of the actual device is reset after each measurement. It is an open question 
whether this assumption can be further relaxed. 

Protocol Definition 

We now define a family of protocols, $[n, fc, ^, Qtoh Ccor, leakEc], which is parametrized by the 
block size, n, the number of bits used for parameter estimation, k, the secret key length, i, the 
channel error tolerance, Qtoh the required correctness, ecor, and the error correction leakage, leaksc- 
The protocol is asymmetric, so that the number of bits measured in the two bases (n bits in the X 
basis and k bits in the Z basis) are not necessarily equal [41]. 

These protocols are described in Table I. 

Security Analysis 

The following two theorems constitute the main technical result of our paper, stating that the 
protocols described above are both Ccor-correct and Csec-secure if the secret key length is chosen 
appropriately. Correctness is guaranteed by the error correction step of the protocol, where a hash 
of Alice's raw key is compared with the hash of its estimate on Bob's side. The following holds: 

The protocol $[n, k, £, Qtoh ^cor, leaksc] 

is Ecor 'Correct. 

The protocols are esec-secure if the length of the extracted secret key does not exceed a certain 
length. Asymptotically for large block sizes n, the reductions of the key length due to finite statistics 
and security parameters can be neglected, and a secret key of length ^max = ^'{q — h{Qtoi)) — leaksc 
can be extracted securely. Here, h denotes the binary entropy function. Since our statistical sample 
is finite, we have to add to the tolerated channel noise a term ji w y^l//c • ln(l/esec) that accounts 



5 



State Preparation: The first four steps of the protocol are repeated for i = 1, 2, . . . , M until the condition 
in the Sifting step is met. 

Alice chooses a basis £ {X, Z}, where X is chosen with probability = (l + ^kjn) ^ and Z 
with probability = \ — p^. (These probabilities are chosen in order to minimize the number M 
of exchanged particles before Alice and Bob agree on the basis X for n particles and on the basis Z 
for fc particles.) Next, Alice chooses a uniformly random bit yi £ {0, 1} and prepares the qubit in a 
state of basis a^, given by yi. Alternatively, if the source is entanglement-based, Alice will ask it to 
prepare a state in the basis and record the output in yi. 

Distribution: Alice sends the qubit over the quantum channel to Bob. (Recall that Eve is allowed to 
arbitrarily interact with the system and we do not make any assumptions about what Bob receives.) 

Measurement: Bob also chooses a basis, bi E {X, Z}, with probabilities Px and Pz, respectively. He 
measures the system received from Alice in the chosen basis and stores the outcome in G {0, 1, 0}, 
where '0' is the symbol produced when no signal is detected. 

Sifting: Alice and Bob broadcast their basis choices over the classical channel. We define the sets X := 
{i : = 6i = X A 7^ 0} and Z := {i : Ui = bi = Z A y'^ ^ 0}. The protocol repeats the first steps as 
long as either \X\ < n or \Z\ < k. 

Parameter Estimation: Alice and Bob choose a random subset of size n oi X and store the respective 
bits, yi and into raw key strings X and X', respectively. 

Next, they compute the average error A := '^Vi (B y'i, where the sum is over all i E Z. The 
protocol aborts if A > Qtoi- 

Error Correction: An information reconciliation scheme that broadcasts at most leakEc bits of classical 
error correction data is applied. This allows Bob to compute an estimate, X, of X. 

Then, Alice computes a bit string (a hash) of length [log(l/ecor)l by applying a random universal2 
hash function [42] to X. She sends the choice of function and the hash to Bob. If the hash of X 
disagrees with the hash of X, the protocol aborts. 

Privacy Amplification: Alice extracts £ bits of secret key S from X using a random universal2 hash 
function [43, 44]. (Instead of choosing a universal2 hash function, which requires at least n bits of 
random seed, one could instead employ almost two-universal2 hash functions [45] or constructions 
based on Trevisan's extractor [46] . These techniques allow for a reduction in the random seed length 
while the security claims remain almost unchanged.) The choice of function is communicated to Bob, 
who uses it to calculate S. 

TABLE I. Protocol Definition. 

for statistical fluctuations. Furthermore, the security parameters lead to a small reduction of the 
key rate logarithmic in ecor and esec- The following theorem holds: 

The protocol $[n, k, i, Qtoi, ecor, leaksc] using a source with preparation quality q is tsecsecret if the 
secret key length I satisfies 



£ <n[q- h{Qto\ + k^)) - leaksc - log ^ where ^ := W — — In . (2) 

esec^cor V 'T-fc ^sec 



A sketch of the proof of these two statements follows in the methods section and a rigorous proof 
of slightly more general versions of the theorems presented above can be found in Supplementary 
Material 1. 
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DISCUSSION 

In this section, we discuss the asymptotic behavior of our security bounds and compare numer- 
ical bounds on the key rate for a finite number of exchanged signals with previous results. For this 
purpose, we assume that the quantum channel in the absence of an eavesdropper can be described 
as a depolarizing channel with quantum bit error rate Q. (Note that this assumption is not needed 
for the security analysis of the previous section.) The numerical results are computed for a perfect 
single-photon source, i.e. q = 1. Furthermore, finite detection efficiencies and channel losses are 
not factored into the key rates, i.e. the expected secret key rate calculated here can be understood 
as the expected key length per detected signal. 

The efficiency of a protocol $ is characterized in terms of its expected secret key rate, 

.(*.Q):=(l-.„.)^, (3) 

where M(n, k) is the expected number of qubits that need to be exchanged until n raw key bits 
and k bits for parameter estimation are gathered (see protocol description). 
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Post-Processing Block Size, n 

FIG. 1. Expected Key Rate as Function of the Block Size. Plot of expected key rate r as a function 
of the block size n for channel bit error rates Q £ {1%,2.5%,5%} (from left to right). The security rate is 
fixed to e/£ = 10~^^. 

Before presenting numerical results for the optimal expected key rates for finite n, let us quickly 
discuss its asymptotic behavior for arbitrarily large n. It is easy to verify that the key rate 
asymptotically reaches rmax(Q) = 1 — 2h{Q) for arbitrary security bounds e > 0. To see this, note 
that error correction can be achieved with a leakage rate of h{Q) (see, e.g. [47]). Furthermore, if 
we choose, for instance, k proportional to -y/n, the statistical deviation in (S3), n, vanishes and 
the ratio between the raw key length, n, and the expected number of exchanged qubits, M(n, k), 
approaches one as n tends to infinity, i.e., n/M{n,k) — )• 1. This asymptotic rate is optimal [48]. 
Finally, the deviations of the key length in (S3) from its asymptotic limit can be explained as 
fluctuations that are due to the finiteness of the statistical samples we consider and the error 
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n 


Q (%) 


r (%) 


r-rci (%) 


P. (%) 


Qtoi (%) 


£rob (%) 


10" 


1.0 


11.7 


14.0 


38.2 


2.48 


2.3 


2.5 


6.8 


10.4 


43.0 


3.78 


3.0 


10^ 


1.0 


30.4 


36.4 


22.0 


2.14 


0.8 


2.5 


21.5 


32.6 


23.3 


3.58 


1.0 


10^ 


1.0 


47.8 


57.1 


12.5 


1.73 


0.6 


2.5 


35.7 


53.9 


13.7 


3.21 


0.7 



TABLE II. Optimized parameters for a given security rate e/£ = 10 The column labeled rici shows the 
deviation of the expected secret key rate from the corresponding asymptotic value, i.e., rj-ci := r/{l — 2h{Q)). 



bounds we chose. These terms are necessary for any finite-key analysis. In particular, one expects 
a statistical deviation fi that scales with the inverse of the square root of the sample size k as 
in (S3) from any statistical estimation of the error rate. In this sense our result is tight. 

To obtain our results for finite block sizes n, we fix a security bound e and define an optimized 
e-secure protocol, [n, e] , that results from a maximization of the expected secret key rate over 
all e-secure protocols with block size n. For the purpose of this optimization, we assume an error 
correction leakage of leakEc = £,'nh{Qx.o\) with ^ = 1.1. Moreover, we bound the robustness ej-ob 
by the probability that the measured security parameter exceeds Qtoh which (for depolarizing 
channels) decays exponentially in Qtoi — Q- (Note that, for general quantum channels, the error 
rate in the X and Z bases may be different. Hence, the error correction leakage is in general not 
a function of Qtoi but of the expected error rate in the X basis. Similarly, erob generally is the 
sum of the robustness of parameter estimation as above and the robustness of the error correction 
scheme. In this discussion, the analysis is simplified since we consider a depolarizing channel, and, 
thus, the expected error rate is the same in both bases.) 

In Figure 1, we present the expected key rates r = r{^,Q) of the optimal protocols e] 
as a function of the block size n. These rates are given for a fixed value of the security rate e/i, 
i.e., the amount by which the security bound e increases per generated key bit. (In other words, 
e/i can be seen as the probability of key leakage per key bit.) The plot shows that significant key 
rates can be obtained already for n = 10^. 

In Table II, we provide selected numerical results for the optimal protocol parameters that 
correspond to block sizes n = {W^, 10^ 10^} and quantum bit error rates Q £ {1%,2.5%}. These 
block sizes exemplify current hardware limitations in practical QKD systems. 

In Figure 2, we compare our optimal key rates with the maximal key rates that can be shown 
secure using the finite key analysis of Scarani and Renner [18]. For comparison with previous work, 
we plot the rate i/n, i.e. the ratio between key length and block size, instead of the expected secret 
key rate as defined by Eq. (3). We show a major improvement in the minimum block size required 
to produce a provably secret key. The improvements are mainly due to a more direct evaluation 
of the smooth min-entropy via the entropic uncertainty relation and the use of statistics optimized 
specifically to the problem at hand (cf. Supplementary Note 2). 

In conclusion, this article gives tight finite-key bounds for secure quantum key distribution with 
an asymmetric BB84 protocol. Our novel proof technique, based on the uncertainty principle, 
offers a conceptual improvement over earlier proofs that relied on a tomography of the state shared 
between Alice and Bob. Most previous security proofs against general adversaries, e.g. [7, 18, 20, 
21], are arranged in two steps: An analysis of the security against adversaries restricted to collective 
attacks and a lifting of this argument to general attacks. The lifting is often possible without a 
significant loss in key rate using modern techniques [24, 25]; hence, the main difference lies in 
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Sifted Key Length, N 

FIG. 2. Comparison of Key Rate with Earlier Results. The plots show the rate £/N as a function 
of the sifted key size N = n -\- k for various channel bit error rates Q (as in Fig. 1) and a security bound of 
e — 10~^^. The (curved) dashed lines show the rates that can be proven secure using [18]. The horizontal 
dashed lines indicate the asymptotic rates for Q E {1%, 2.5%, 5%} (from top to bottom). 

the first part. In security proofs against collective attacks Alice and Bob usually do tomography 
on their shared state, i.e., they characterize the density matrix of their shared state. Since the 
eavesdropper can be assumed to hold a purification of this state, it is then possible to bound the 
von Neumann entropy of the eavesdropper on Alice's measurement result. The min-entropy of 
the eavesdropper is in turn bounded using the quantum asymptotic equipartition property [7, 49], 
introducing a penalty scaling with l/\/n on the key rate. (A notable exception is [20], where the 
min-entropy is bounded directly from the results of tomography.) 

In contrast, our approach bounds the min-entropy directly and does not require us to do to- 
mography on the state shared between Alice and Bob. In fact, we are only interested in one 
correlation (between Z and Z') and, thus, our statistics can be produced more efficiently. (Note, 
however, that this is also the reason why our approach does not reach the asymptotic key rate for 
the 6-state protocol [50]. There, full tomography puts limits on Eve's information that go beyond 
the uncertainty relation in [22].) Finally, since our considerations are rather general, we believe 
that they can be extended to other QKD protocols. 

METHODS 
Correctness 

The required correctness is ensured in the error correction step of the protocol, when Alice 
and Bob compute and evaluate a random hash function of their keys. If these hash values dis- 
agree, the protocol aborts and both players output empty keys. (These keys are trivially correct.) 
Since arbitrary errors in the key will be detected with high probability when the hash values are 
compared [42], we can guarantee that Alice's and Bob's secret keys are also the same with high 
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probability. 



Secrecy 



In order to establish the secrecy of the protocols, we consider a gedankenexperiment in which 
Alice and Bob, after choosing a basis according to probabilities px and pz as usual, prepare and 
measure everything in the Z basis. We denote the bit strings of length n that replace the raw keys 
X and X' in this hypothetical protocol as Z and Z', respectively. The secrecy then follows from 
the fact that, if Alice has a choice of encoding a string of n uniform bits in either the X or Z basis, 
the following holds: the better Bob is able to estimate Alice's string if she prepared in the Z basis, 
the worse Eve is able to guess Alice's string if she prepared in the X basis. This can be formally 
expressed in terms of an uncertainty relation for smooth entropies [22], 



where e > is called a smoothing parameter and q, as we will see below, is the preparation qual- 
ity defined previously. The smooth min-entropy, -ff^;^(X|E), introduced in [7], characterizes the 
average probability that Eve guesses X correctly using her optimal strategy with access to the cor- 
relations stored in her quantum memory [51]. The smooth max-entropy, H^g^^(7i\Zi') , corresponds 
to the number of additional bits that are needed in order to reconstruct the value of Z using Z' 
up to a failure probability e [52]. For precise mathematical definitions of the smooth min- and 
max-entropy, we refer to [53]. 

The sources we consider in this article are either a) qubit sources or b) sources that create BB84- 
states by measuring part of an entangled state. In case b), a comparison with [22] reveals that 
the bound on the uncertainty is given by — log c, where c is the overlap of the two measurement 
employed in the source. For general POVMs, {Mx} for preparing in the X basis and {N^} for 
preparing in the Z basis, this overlap is given by c = max || \/Mx\/Nz\\'^. This justifies the definition 
of the preparation quality q = — logc for such sources. In case a), the preparation process can be 
purified into an entanglement-based one of the type above. To see this, simply consider a singlet 
state between two qubits and projective measurements on the first qubit. It is easy to verify that 
the overlap of the prepared states in the two bases is equal to the overlap of the two projective 
measurements used to prepare them. Hence, the preparation quality of this source is given by 
q = — log c, where c is the maximum overlap of the prepared states. 

Note that — in the gedankenexperiment picture — the observed average error. A, is calculated 
from k measurements sampled at random from n + k measurements in the Z basis. Hence, if A is 
small, we deduce that, with high probability, Z and Z' are highly correlated and, thus, H^^^{Z\Z') 
is small. In fact, since the protocol aborts if A exceeds Qtob the following bound on the smooth 
max-entropy (conditioned on the correlation test passing) holds: 



where // takes into account statistical fluctuations and depends on the security parameter via e. 
Eq. (5) is shown in Supplementary Note 2 using an upper bound by Serfling [54] on the probability 
that the average error on the sample. A, deviates by more than from the average error on the 
total string. (See also [55].) 

In addition to the uncertainty relation, our analysis employs the Quantum Leftover Hash 
Lemma [7, 45], which gives a direct operational meaning to the smooth min-entropy. It asserts 
that, using a random universal2 hash function, it is possible to extract a A-secret key of length £ 




(4) 




(5) 
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from X, where 

A = 2e + ^V2^-^5.in(x|E'). (6) 

Here, E' summarizes all information Eve learned about X during the protocol — including the 
classical communication sent by Alice and Bob over the authenticated channel. For the protocol 
discussed here, a maximum of leakEc + [log(l/ecor)] bits of information about X are revealed 
to the eavesdropper during the protocol. Hence, using a chain rule for smooth min-entropies, we 
can relate the smooth min-entropy prior to the classical post-processing, //^■j^(X|E), with the 
min-entropy before privacy amplification, H^^^(X.\Fi') as follows. 

F^i„(X|E') > Hf^,,{X\E) - leakEc - log — . (7) 

^cor 

Collecting the bounds on the smooth entropies we got from the uncertainty relation, (SI), and the 
parameter estimation, (5), we further find that 

/7^iJX|E') > n{q - h{Qto\ + /x)) - leaksc - log — . (8) 

^cor 

Combining this with the Quantum Leftover Hashing Lemma (S2) and using the bound on the 
key length given in Eq. (S3), we get 

A < 2e + i v'2^-^.nin(x|E') < 2^ + . (9) 
Finally, the protocol is esec-secret if we choose e proportional to esec and sufficiently small. 
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SUPPLEMENTARY NOTE 1: FINITE KEY ANALYSIS 

The required correctness is ensured during the error correction step of any protocol in the family. 
There, Alice and Bob compute and compare a hash of length [log(l/ecor)l by applying a random 
universal hash function to their keys, X and X. If the hash values disagree, the protocol aborts. 

Theorem 1. T/ie protocol $[n, fc, ^, Qtoh Ccorj leakEc] is Ecox- correct. 

Proof. The defining property of such universal2 families of hash functions [42] is the fact that the 
probability with which -F(X) and -F(X) coincide — if X and X are different and the hash function, 
-F, is chosen uniformly at random from the family — is at most 2~riog(i/«cor)l _ Since the protocol 
aborts if the hash values calculated from X and X after error correction do not agree, it is thus 
ensured that Pr[S / S] < Pr[X / X] < 2-ri°g(i/^cor)l < g^^^. □ 
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In order to prove the security of the protocols, we consider a gedankenexperiment in which Ahce 
and Bob, after choosing a basis according to probabihties px and pz as before, prepare and measure 
everything in the Z basis. We denote the bit strings of length n that replace the raw keys X and 
X' in this hypothetical protocol as Z and Z', respectively. 

Security is now based on the observation that, if Alice has a choice of encoding a string of n 
uniform bits in either the X or Z basis, then the following holds: the better Bob is able to estimate 
Alice's string if she prepared in the Z basis, the worse Eve is able to guess Alice's string if she 
prepared in the X basis. This can be formally expressed in terms of an uncertainty relation for 
smooth entropies [22] 



where e' > is a smoothing parameter and q, as we see below, is the preparation quality defined in 
the main text. The smooth min-entropy, H^^^(X.\Fi) , introduced in [7], characterizes the average 
probability that Eve guesses X correctly using her optimal strategy with access to the correlations 
stored in her quantum memory [51]. The smooth max-entropy, H^^^{Z\Ji), is a measure of the 
correlations between Z and Bob's data. For precise mathematical definitions of the smooth min- 
and max-entropy, we refer to [53]. 

The sources we consider in this article are either a) qubit sources or b) sources that create 
BB84-states by measuring part of an entangled state. In the latter case, a comparison with [22] 
reveals that the bound on the uncertainty is given by — log c, where c is the overlap of the two 
measurement employed in the source. For general POVMs, {Mx} for preparing in the X basis and 
{A^^} for preparing in the Z basis, this overlap is given by c = max 

WVMxVNzWIo- This justifies 

the definition of the preparation quality q = — logc (as defined in Section I.B of the main text) for 
such sources. 

On the other hand, if the prepared state is guaranteed to be a qubit state, the preparation 
process can be purified into an entanglement-based one of the type above. To see this, simply 
consider a singlet state between two qubits and projective measurements on the first qubit. It is 
easy to verify that the overlap of the prepared states in the two bases is equal to the overlap of 
the two projective measurements used to prepare them. Hence, the preparation quality of this 
source is given hy q = — log c, where c is the maximum overlap of the prepared states (as defined 
in Section I.B of the main text). 

Apart from the uncertainty relation (SI), our analysis employs the Quantum Leftover Hash 
Lemma [45] which gives a direct operational meaning to the smooth min-entropy. It asserts that, 
using a random universal2 hash function, it is possible to extract a A-secret key of length i from 
X, where 



Here E' summarizes all information Eve learned about X during the protocol — including the 
classical communication sent by Alice and Bob over the authenticated channel. Furthermore, the 
extracted secret key is independent of the randomness that is used to choose the hash function. 

The following theorem gives a sufficient condition for which a protocol $ using a source with 
preparation quality q is esec-secret. The minimum value esec for which it is esec-secret is called the 
secrecy of the protocol and is denoted by esec(*i'z)- 

Theorem 2. The protocol $[n, fc, ^, Qtoh Ccod leakEc] using a source with preparation quality q is 




(81) 




(S2) 
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esec-secret for some escc > if i satisfies^ 



< max 

e,£ 



n 



\ 1 2 

q - h{Qtoi + ^(e)) ] - 2 log — - leakEc - log 



(S3) 



where we optimize over e > and e > s.t. 2e + e < Escc and 



n + k k + l 1 

Proof. In the gedankenexperiment picture described above, A is a random variable calculated from 
at least k measurements sampled at random from n + k measurements in the Z basis. Hence, if A 
is small, we deduce that, with high probability, Z and Z' are highly correlated and H^g^^(7i\Zi') is 
small. This is elaborated in Lemma 3, where it is shown that, conditioned on the event that the 
correlation test passed (A < Qtoi); the following bound on the smooth max-entropy holds, 

/7l,(Z|Z')p < nh{Qtoi + Ke)) , (S5) 

where e' = e / ^Ppass and Ppass > 1 — Pabort is the probability that the correlation test passes. 
Here, p is the state of the system conditioned on the event that the correlation test passed. More 
precisely, we consider the state pabe of the n systems shared between Alice and Bob as well 
as Eve's information. Moreover, the classical joint probability distributions Pxx' and p2Z' are 
induced by the respective measurement on A and B. (Note that these states are well-defined 
since, by assumption, we know that the measurement of the n bits used for key generation can be 
postponed until after parameter estimation.) 

We now apply the uncertainty relation, H^-^^{X.\E)p > nq — H^^-^{Z\Z')p, on this state to find 
a lower bound on the min-entropy that Eve has about Alice's bits prepared in the X basis. Since a 
maximum of leaksc + [ log(l/ ecor)] < leakEc + log(2 /ccor) bits of information about X are revealed 
during error correction, we find^ 

H<^{X\E')p > H<^{X\E)p - leakEc - log — (S6) 

£cor 

>ng-F^,,(Z|Z')p-leakEc-log— (S7) 
>n(q- h{Qto\ + ^(e))) - leakec - log — . (S8) 

^ ^ ^cor 

Thus, combining this with (S2) and using the proposed key length (S3), we find, for all e and e. 



A < 2e' + ^ V 2^-^-in(^l^')'' <2e' + e. (S9) 
The security of the protocol now follows since (1 — Pabort)^ < 2e + e < egec- D 



SUPPLEMENTARY NOTE 2: STATISTICS 

This section covers the statistical analysis of the classical data collected during the run of the 
BB84-type protocols described in this work. A more general framework for such an analysis can 
be found in [19] 



^ Here, /i is a truncated binary entropy function, i.e. h : x i-^ —x log a; — (1 — a;) log(l — x) \i x <l/2 and 1 otherwise. 
^ Formally, this requires use of the chain rule _ff^in(X|EC) > i/J^iin(X|E) —log |C|, where C is any classical information 
about X. 
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We use the notation of the previous sections and define N := n + k. The fraction of bits that 
are used for parameter estimation is denoted as v, i.e. k = vN and n = (1 — v)N . 

The statistical analysis is based on a gedankenexperiment, where Alice and Bob measure all 
N states with i G X L) Z in the control basis, Z, resulting in strings Ztot and Z^^^ for Alice and 
Bob, respectively. The following random variables are of interest to us. The relative Hamming 
distance between Alice's and Bob's bit-string is defined as A^t = I Ztot © where | • | denotes 
the Hamming weight. Similarly, A = Ape denotes the relative Hamming distances between the 
random subsets Zpe of Ztot and Zpg of Z^ot used for parameter estimation. Finally, A^ey is the 
relative Hamming distance between the remainders of the strings, denoted Z = Zj^ey and Z' = Zj^^y. 
Clearly, 

Atot = l^A + (1 - Z^)Akey . 

The k bits used for parameter estimation are chosen at random from N bits. Hence, if we 
fix Atot = Atot for the moment, the random variables A and A^ey can be seen as emanating from 
sampling without replacement. We apply the bound [54] 

Pr [Akey > Atot + 6 1 Atot = Atot] < e-^s+i-^ . (sio) 

We now derive a bound on the probability that A^^y exceeds A by more than a constant /i condi- 
tioned on the event that we passed the correlation test. (Note that, while A is accessible during 
the protocol, A^ey is the quantity we are actually interested in.) We find, using Bayes' theorem, 

Pr [Akey > A + ^ I "pass"] < — Pr [Akey > A + ^] , (Sll) 

Ppass 

where we keep Ppass = Pr["pass"] = Pr[A < Qtoi] as a parameter and further bound 

Pr [Akey > A + ^] = Pr [Akey > Atot + i^m] (S12) 

Er n r n q kn k , ,2 

Pr [Atot = Atot] Pr [Akey > Atot + i^f^ \ Atot = Atot] < e ' iv fc+i^ . (S13) 

Atot 

kn k 2 

We used (SIO) to bound each summand individually. Finally, defining e := e ^ , we write 

=-2 

Pr [Akey > A + ^ I "pass"] < . (S14) 

Ppass 

The above result can be used to bound the uncertainty Bob has about Alice's measurement 
outcomes in the Z-basis, as expressed using the smooth max-entropy of Z given Z' and A. The 
entropy is evaluated for the probability distribution conditioned on the event that the correlation 
test passed, which we denote Pzz'a(^' 2;', A) = Pr[Z = zAZ' = z'aA = A| "pass"]. 

Lemma 3. Let e > 0. Then 

H^^ (ZlZ') < nh(Qtoi + lA , where e' := — ^ — and // := -\/^ ^ In - . (S15) 

^Ppass y nk k e 

Proof. According to (S14), the probability that Akey exceeds A by more than /x is bounded. In 
fact, we can find a probability distribution, 

QZZ,;V(Z,Z,A) := i P'-[Akcy<A+M|"pass"] ^ ^key^Z, Z j < A + ^ ^ ^g^^^ 

else 
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which is e'-close to Pzz'A ™ terms of the purified distance. To see this, note that the fidehty 
between the two distributions satisfies 

F(P, Q) := \/Pzz'a(z,z',A) Qzz.a(z,z',A) = y/priAkey < A + | "pass"] , (S17) 

z,z',A 

which can be bounded using (S14). The purified distance between the distributions is then given by 
P(P, Q) := a/1 — -F^(P, Q) = e'. Hence, under the distribution Q, we have A^ey < A + ^ < Qtoi + M 
with certainty. In particular, the total number of errors on n bits, W := nAkey, satisfies 

W < [n{Qtoi + /u)J . (S18) 

The max-entropy, H^^^{Zi\Z') , is upper bounded by the minimum number of bits of additional 
information about Z needed to perfectly reconstruct Z from Z' [52]. This value can in turn be 
upper bounded by the logarithm of the maximum support of Z conditioned on any value Z' = z'. 
Since the total number of errors under Q satisfies (S18), we may write 

i/U(Z|Z')p < H^,^{Z\Z% < log Yl ( J ^ ^^(Qtoi + f^) . (S19) 
The last inequality is shown in [55], Section 1.4. This concludes the proof of Lemma 3. □ 
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